Wednesday, May 6, 2009

WARNING, RANT TO FOLLOW (These views are mine and mine alone and in no way reflect the thoughts or feelings of the other staff members of hackerscenter.com or any other affiliated organization of hackerscenter.com):

Ok, so here is the Trillion Dollar Question....Is there any entity that has a connection which in any way shape or form is connected to another entity, the world wide web, or even a phone line,, not have weak links? If I remember correctly, if you really want to be C2 compliant (I know, I'm showing my age), then you shouldn't connect a computer to ANYTHING. As a security professional (ok, so I think I'm a professional, smile), I for one am getting tired of news agencies and press releases that state "/ENTER ANY NAME HERE/ Susceptible to Cyber Attacks". I for one am done as we all know that there is nowhere safe to hid from people who are going to exploit technology for fun or profit. Let us move past this sensationalism in the press, and start publishing ideas on how to better secure our on-line assets, and just stop pointing out the obvious (and I'm not singling out GCN, I happen to like their publication very much).

This issue of weakness in technology not only affects the American Government, but any and everyone with any type of technology that is connected to a relaying entity such as a phone company, satellite, external network, or internet ISP. What we are not seeing is the collaboration necessary to encourage a change in the culture and behavior of cyber criminals, vandals, miscreants, or plain genius' with nothing better to do with their time. Crime is always going to be an issue in this industry, and the only way we can combat it is to give better incentive to companies to produce higher quality products more thoroughly tested and secured. Yes, this means that it will be a lot more expensive to ensure that a product is vetted in order to limit the exposure, but I also believe there should be some guarantee that comes along with that product from the producer, much like what Surge Protector companies offered if their product failed to protect your assets from a power surge. Note I say limit, as there will always be ways to circumvent technology and the programming that is done by human minds in a logical/structured manner. What cannot continue to happen is that companies rush to get the product to market and worry about the ramifications later by supplying updates, patches, and hot fixes. I know I am not stating anything that has not been thought of or stated before now, but I am just really tired of this type of reporting. The media now a days is obsessed with sex, violence, AND CYBERCRIME. At some point, media outlets will have to be the ones to affect change by not sensationalizing the issues at hand, but work in a way to better educate their constituents on how to better protect themselves and their organizations. It is my hope to actually see this type of news decline before I leave this world for a much better and technologically secure place!! (Ok, I'm finished, putting the soapbox back in the basement!!) I encourage comments(or backlash) to this post. I am really interested in how others feel about this, and if there are other ideas as to how to move past this dark-spot in our cultures.

House lawmakers who held a hearing on threats to the country’s information infrastructure May 5 heard a familiar tale of inadequately protected government systems facing a growing array of increasingly sophisticated threats.

GAO and agency inspectors general have repeatedly identified vulnerabilities in the form of inadequate information system controls, Wilshusen said. At the same time, the number of incidents federal agencies have reported to the U.S. Computer Emergency Readiness Team has increased dramatically. In the past three years, such incidents have more than tripled — from 5,503 in fiscal 2006 to 16,843 in 2008.

Wilshusen made his statements before the House Oversight and Government Reform Committee’s Government Management, Organization and Procurement Subcommittee. He cited numerous GAO recommendations for improving cybersecurity and a number of recent initiatives that offer hope for improvement.

Other witnesses called for the White House to take a stronger leadership role in forming a national cybersecurity strategy.

“To date, there has not been an ongoing, coordinated, national approach with senior White House leadership that would drive strategy development and cohesive implementation, bringing the strengths and capabilities of the various agencies and the concerns and input of stakeholders to bear,” said Liesyl Franz, vice president of information security programs and global public policy at information technology industry group TechAmerica.

Threats have evolved in recent years from rapidly spreading worms and often obvious hacks to more targeted attacks that use a combination of technical and social tricks to get past defenses. Increasingly, the attacks are the work of organized criminals seeking financial gain. Espionage by foreign nations is also suspected as more breaches in government systems are discovered.

The Obama administration recently completed a review of the country’s cybersecurity initiatives and is expected to release a report with recommendations for revamping policies soon. Melissa Hathaway, who led the review, has said that the reviewers will recommend that the White House direct cybersecurity policy and agencies manage operational activities.

Franz agreed that White House officials cannot be expected to direct the operational details of cybersecurity.

“As part of the public dialogue on cybersecurity, some have expressed concern that a new adviser in the White House would take authorities or responsibilities away from the Department of Homeland Security or other agencies, but we do not believe that is the case,” she said. “Certainly, DHS and other agencies will have a large role to play in providing strategy input and implementing key elements of it.”

Franz also said TechAmerica officials believe the Federal Information Security Management Act needs to be reformed to emphasize risk management and security monitoring rather than more static certification and accreditation programs.

Witnesses described information security as crucial to the country’s economic development. Retired Air Force Lt. Gen. Harry Raduege Jr., chairman of the Deloitte Center for Network Innovation, said the government must lead by example, and it needs to start now.

“The federal government must become a model for cybersecurity, and it must start by securing our networks and information as quickly as possible,” Raduege said. “Improving the security of our federal networks and nation’s digital infrastructures will be a long-term effort, but immediate focused attention on this significant challenge is absolutely critical.”

Wilshusen cited widespread shortcomings in current information security programs. “Federal systems are not sufficiently protected to consistently thwart cyber threats,” he said. “Serious and widespread information security control deficiencies continue to place federal assets at risk of inadvertent or deliberate misuse, financial information at risk of unauthorized modification or destruction, sensitive information at risk of inappropriate disclosure, and critical operations at risk of disruption.”

He said that for years, most agencies have not implemented the security controls necessary to detect or prevent unauthorized access to IT resources. In fiscal 2008, weaknesses were reported in those controls at 23 of 24 major agencies.

“Over the past several years, we and the IGs have made hundreds of recommendations to agencies for actions necessary to resolve prior significant control deficiencies and information security program shortfalls,” Wilshusen said.

He also cited efforts such as the Comprehensive National Cybersecurity Initiative, the Information Systems Security Line of Business the Office of Management and Budget established, OMB’s Federal Desktop Core Configuration, and the General Services Administration’s SmartBuy program as opportunities for improving security.

“Until such opportunities are seized and fully exploited and GAO recommendations to mitigate identified control deficiencies and implement agencywide information security programs are fully and effectively implemented, federal information and systems will remain vulnerable,” Wilshusen said.